The best practice really depends on your own business security. I generally change them yearly as a minimum and also whenever someone leaves that may have access to them. If you are in a high risk area, then they should be changed more frequently.
Hope this helps.